Security Policies - Where to start

Every organization needs security policies in place to provide direction for people and the company to improve the entities security posture. These policies must be written in such a way as to work within the goals and objectives of the business as well as reflecting its risk appetite and risk tolerance. Business comes first; security policies can’t be so stringent as to become an obstacle to strategic objectives or to employees getting work done.

So, where to start. You must first be aware of the risk appetite and tolerance of your organization. ISACA defines risk appetite as “The amount of risk, on a broad level, that an entity is willing to accept in pursuit of its mission.” They go on to define risk tolerance as “The acceptable level of variation that management is willing to allow for any particular risk as the enterprise pursues its objectives.”

Risk appetite, then, is the amount of risk the organization views as acceptable as it pursues its objectives. Risk tolerance is the degree of variance an entity accepts. An analogy presented by the Fair Institute helps to better understand appetite vs tolerance: “Given normal weather and other conditions, it is extremely rare to see law enforcement enforce the speed exactly at the limit. Consequently, while risk appetite can be thought of as a line drawn in the sand that helps to set expectations, risk tolerance can be thought of as the variance from appetite that drives day-to-day decisions to operate differently in some manner. Note the operative word here - decisions".

Security policies cover a lot of ground, from acceptable use policies, to router configuration and employee off-boarding when employment is terminated. The number and nature of policies will depend on the entity's risk appetite, risk tolerance and the nature of the business. For smaller organizations who might lack a security committee, an information security manager or a person on staff with knowledge of information security, the task of knowing where to start can be daunting.

One go-to resource for security policy templates that can ease the burden of not knowing where to start is the SANS Institute. Here you’ll find templates that cover almost everything your company might need that are easily modified to fit nearly any entity.

You can find these templates here: SANS Institute Security Policy Templates

It is important to note that security policies are generally part of a larger enterprise security program which covers administrative, operational and technical safeguards. This will be addressed in future posts along with governance and frameworks.